Skip to content

Instantly share code, notes, and snippets.

View hellman's full-sized avatar
🍊

Aleksei Udovenko hellman

🍊
618 followers · 24 following
View GitHub Profile
@hellman
hellman / 1_trace.py
Created September 30, 2019 08:40
PwnThyBytes 2019 CTF - unconventional
"""
echo pass | TRACE=trace1 time gdb -x script.py -batch ./unconventional >/dev/null
~1 minute
"""
import gdb, re, os
gdb.execute('break *0x40542f')
gdb.execute('run')
f = open(os.environ["TRACE"], "w")
@hellman
hellman / 1_solve.c
Last active October 4, 2019 08:37
PwnThyBytes 2019 CTF - avec
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <assert.h>
#include <openssl/aes.h>
/*
gcc -O3 solve.c -L. -lghash_clmul -lcrypto -o solve
@hellman
hellman / 1_solution.py
Last active October 4, 2019 08:37
PwnThyBytes 2019 CTF - LOTR
#-*- coding:utf-8 -*-
# python3 adaptation...
from __future__ import print_function, division
from sage.all import *
# begin copy paste ================
import hashlib
f = open('gov_officials_PK.txt','r')
@hellman
hellman / rsa_privleak_halflsb.py
Created May 13, 2019 06:41
RSA with half least significant bits of d leaked (optimized for larger e)
#-*- coding:utf-8 -*-
from sage.all import *
BITS = 2048
NLEAK = 1024-22
# E = 0x10001
E = next_prime(2**22)
print "E", E
@hellman
hellman / 0_sol.ipynb
Last active April 10, 2019 08:47
Midnight Sun CTF 2019 Quals - open-gyckel-krypto
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@hellman
hellman / 1_multicollision.py
Created April 7, 2019 16:23
Spam and Flags CTF 2019 Teaser - QuadHash
#-*- coding:utf-8 -*-
from common import *
def extend(alg, prefhashes):
if alg == 0:
prefhash = prefhashes[alg]
table = {}
seen = set()
@hellman
hellman / 0_writeup.md
Last active April 10, 2019 08:56
Midnight Sun CTF 2019 Quals - Tulpan

In this challenge the flag is treated as a polynomial over GF(257), it is blinded by a random known polynomial, and then it is evaluated at 107 first integers. However, each result is corrupted with probability 43/108. The polynomial has degree 25, so we need 26 correct points to interpolate it. Observe that by choosing random 26 points from those given, we have a feasible probability of having an error-less set:

sage: math.log(binomial(108-43, 26) / binomial(108, 26), 2)
-22.716429556377932

That is, we need to try around 7 000 000 random subsets. This can be done in 10 minutes on 8 cores by a simple Sage code.

@hellman
hellman / 1_generate_pairs.py
Last active March 26, 2019 18:27
0CTF 2019 Quals - zer0mi (Crypto 611 pts)
#!/usr/bin/env sage
'''
Multivariate Public Key Cryptosystems by Jintai Ding et al., Chapter 2
Explains attack by Jacques Patarin.
The idea is to find a relation of plaintext-ciphertext bytes such that
when ciphertext is fixed, the relation is linear in plaintext.
Patarin showed that a sufficient amount of such relations exists.
'''
from sage.all import *
@hellman
hellman / 1_solve.py
Last active March 26, 2019 18:28
0CTF 2019 Quals - zer0lfsr (Crypto 207 pts)
#!/usr/bin/env sage
'''
The third LFSR has low period: 378.
If the value in positions 0,378,2*378,... is equal to 0,
then the combine functions become AND of the first two LFSRs.
If the value in positions 0,378,2*378,... is equal to 1,
then the combine functions become OR of the first two LFSRs.
We can distinguish both cases easily by number of 0s/1s
(should be 25% in the first case and 75% in the second case)
@hellman
hellman / TwinPeaks2_slide_attack.py
Created October 22, 2018 06:37
NSUCRYPTO 2018 - Problem 4 - TwinPeaks2 - Slide attack
"""
Slide attack on the TwinPeaks2 cipher from NSUCRYPTO.
Disclaimer: this is not an optimal solution, just a proof-of-concept!
An actual solution is to note that Reverse(Encrypt(Reverse(x)) = Decrypt(x), where Reverse(a,b,c,d) = (d,c,b,a).
"""
from random import shuffle, randint